Skullcode VM details (draft)

1. Analysis of M-Machine
2. =====================
3.  
4. Skullcode version: 1408337099853
5. (possibly a UNIX timestamp in milliseconds, i.e. 2014-08-18 04:44:59.853 UTC).
6.  
7. VM is a 32-bit CISC Von Neumann architecture with separate user/system rings and unrecoverable faults.
8. Endianness appears to be platform-dependent (due to the use of JS typed arrays). Despite appearances, the design is much closer to a typical VM design than a practical machine.
9.  
10. Rings
11. -----
12.  
13. The VM supports two rings, Ring 1 (User) and Ring 0 (System). The system boots in Ring 0 if the initial lock register value is 0, otherwise it will boot in Ring 1. Switching between rings uses the SET\_RING instruction, entering into Ring 0 from Ring 1 requires a 128-bit key to be specified or the VM will trap with an E\_PERM fault. Instructions specifying certain opcodes or utilizing the Register addressing mode may only be executed in Ring 0, and will trigger an E_PERM fault if executed in Ring 1.
14.  
15. Faults
16. ------
17.  
18. Faults cause the VM to hang ('dead' state) and bubble up to the VM management code,
19. which translates them to console messages. In addition to the reasons listed, faults
20. can be triggered manually via the TRAP instruction.
21.  
22. [number]: [name] - [message] - [description]
23. 0: E_NONE - "OK."
24. 1: E_PERM - "Permission Required." - Triggered on attempt to execute protected instruction in Ring 1.
25. 2: E_NOMEM - "Out of memory." - Triggered when 'grow()' fails. 'grow()' appears to be unused.
26. 3: E_INVALID - "Invalid operation." - Triggered when a malformed instruction is encountered.
27. 4: E_ACCESS - "Invalid memory access." - Unused, there is no memory protection.
28. 5: E_ALIGN - "Invalid access alignment." - Unused, unaligned accesses simply ignore the LSB.
29. 6: E_UNKNOWN - "Unknown error." - Unused.
30. 7: E_ENV - "Host environment exception." - Unused.
31. 8: E_HALT - "Halted." - Triggered by executing HLT
32. 9: E_NOSUPPORT - "Operation not supported." - Triggered on attempt to execute certain instructions.
33.  
34. Registers
35. ---------
36.  
37. The VM supports 7 'normal' registers and 7 'special' registers.
38. Only rParam can be directly read in Ring 1, though the registers 1-6 can be used as base registers for indexed addressing.
39. Note that 0x00 and 0x08 are not valid registers and will trigger E_INVALID or unspecified (instruction-dependent) behaviour if accessed.
40.  
41. Real:
42. 0x01: rHeap
43. 0x02: rParam - Index address for indexed/complex addressing, possibly intended as scratch memory/parameter storage area.
44. 0x03: rText
45. 0x04: rEntity
46. 0x05: rCode - Base address for branches
47. 0x06: rCall - Base address for the call stack
48. 0x07: *flags register*
49.  
50. Normal:
51. 0x09: body (?)
52. 0x0A: spine (?)
53. 0x0B: free (?)
54. 0x0C: seed (?)
55. 0x0D: rSig
56. 0x0E: rVirt
57. 0x0F: (op - rCode) (?)
58.  
59. Flags register is read only (E_INVALID on write?), with following format:
60.  
61. fedcba9876543210 fedcba9876543210
62. ?............... .............P?? // | cmp
63.  
64. P - 1 if executing in Ring 1, else 0
65. . - Read as zero, writes ignored.
66.  
67. todo: work out cmp
68.  
69. Call Stack
70. ----------
71.  
72. rCall stores the base address of a call stack. Position within the stack is stored in the *ret* internal register.
73.  
74. Function calls are implemented via two instructions, VISIT and RET.
75.  
76. VISIT pushes rParam (before adjustment) then PC, leading to the following call stack layout:
77.  
78. 0x00: [rParam]
79. 0x04: [ PC ]
80.  
81. RET simply pops PC and rParam.
82.  
83. Floating Point
84. --------------
85.  
86. The VM includes native support for floating point numbers, both single-precision and double-precision. Most arithmetic operations support floating point operations, but conversion between floating point and integer representations is not automatic (i.e. one cannot set *src* to a float and *dst* to an int, or vice versa).
87.  
88. There does not appear to be an obvious way to convert between floating point and integer representations; it is possible this was the intended purpose of the CONV_INT32 opcode.
89.  
90.  
91. Source/Destination Encoding
92. ---------------------------
93.  
94. Instructions marked with an (S) or (D) encode a source or destination in the instruction.
95.  
96. The VM supports Immediate, Register, Indexed and Complex address modes, depending on the selected flags. These flags are shared between source and destination encodings. The immediate flag applies only to source operands. Source and destination operands cannot both use Complex addressing simultaneously; if Complex is used for the source operand Indexed must be used for the destination operand, and vice versa.
97.  
98. The instruction source can be decoded by reading the following list and picking the first option that applies:
99.  
100. * If the **Immediate** flag is set AND the **Size** field is 2 AND *imm* is non-zero, use Register addressing with the register specified by *imm* (Note 1).
101. * If the **Immediate** flag is set, use Immediate addressing (Note 2).
102. * If the **inDexed** flag is set OR the **Base** field is 0, use Indexed addressing with offset given by *imm*.
103. * Use Complex addressing with offset given by *imm*.
104.  
105. Note 1: If the instruction is executed in Ring 1, fail with E\_PERM. If an invalid register number is given, fail with E\_INVALID. If a register number of 0 is given for the destination, the value is discarded.
106. Note 2: If the chosen size is 8-bit, the operand is encoded as *imm*, otherwise it will be encoded follow the instruction.
107.  
108. The instruction destination can be decoded by reading the following list and picking the first option that applies:
109.  
110. * If the **inDexed** flag is set AND the **Base** field is 0, use Register addressing with the register specified by *slot* (Note 1).
111. * If the **inDexed** flag is set, use Complex addressing with offset given by *slot*.
112. * Use Indexed addressing with offset given by *slot*.
113.  
114. Note 1: If the source operand is a floating point number, the value written to the register is undefined. If the source operand is longer than 32-bit, only the first 32 bits will be stored in the register.
115.  
116. Possible combinations of source and destination addressing modes and their encodings have been tabulated below:
117.  
118. | Source | Destination | Immediate | Base | inDexed | Size | imm |
119. |------------------|-------------|-----------|------|---------|------|------|
120. | Immediate | Register | 1 | 0 | 1 | != 2 | X |
121. | Immediate (Zero) | Register | 1 | 0 | 1 | 2 | 0 |
122. | Immediate | Indexed | 1 | X | 0 | != 2 | X |
123. | Immediate (Zero) | Indexed | 1 | X | 0 | 2 | 0 |
124. | Immediate | Complex | 1 | != 0 | 1 | != 2 | X |
125. | Immediate (Zero) | Complex | 1 | != 0 | 1 | 2 | 0 |
126. | Register | Register | 1 | 0 | 1 | 2 | != 0 |
127. | Register | Indexed | 1 | X | 0 | 2 | != 0 |
128. | Register | Complex | 1 | X | 1 | 2 | != 0 |
129. | Indexed | Register | 0 | 0 | 1 | X | X |
130. | Indexed | Indexed | 0 | 0 | 0 | X | X |
131. | Indexed | Complex | 0 | != 0 | 1 | X | X |
132. | Complex | Register | - | - | - | - | - |
133. | Complex | Indexed | 0 | !=0 | 0 | X | X |
134. | Complex | Complex | - | - | - | - | - |
135.  
136. Note: '!= n' indicates that the address mode applies when the field is NOT equal to n. 'X' indicates that the value has no effect on the choice of addressing mode. A row of '-' indicates that the listed combination of address modes cannot be encoded and hence is invalid.
137.  
138. Operand size is encoded in the **Size** field, as follows:
139.  
140. 0: 8-bit (byte) load
141. 1: 16-bit (word) load
142. 2: 32-bit (dword) load
143. 3: 64-bit (qword) load
144. 4: 128-bit (dqword) load
145. 5: 32-bit Float (single) load
146. 6: 64-bit Float (double) load
147. 7: *Same as 4*
148.  
149. 8-bit and 16-bit loads will be zero-extended if necessary. 8-bit loads are byte-aligned; 16-bit loads are word-aligned (i.e. LSB is ignored); 32-bit, 64-bit, 128-bit and Float (single) loads are dword-aligned (i.e. the 1st and 2nd LSB are ignored); and Float (double) loads are qword-aligned (i.e. the 1st through 3rd LSB are ignored).
150.  
151. Complex addressing utilizes the **Base** field, which encodes a register (or zero) as follows:
152.  
153. 0: *See below*
154. 1-6: Corresponding register in register table
155. 7: *Set base to zero*
156.  
157. For source encoding, a base of 0 will decode to Indexed addressing. For destination encoding, a base of 0 will decode to Register addressing.
158.  
159. Address Modes
160. -------------
161.  
162. **Register addressing** reads from or writes to a VM register directly. Register addressing is only supported in Ring 0, and will trigger an E_PERM fault if attempted in Ring 1.
163.  
164. Example:
165.  
166. MOV rParam, rHeap // Load the value of rParam into rHeap
167.  
168. **Immediate addressing** is only valid for source operands, and encodes the operand value directly within the instruction. If the operand is 8-bit, it is encoded in the instruction *imm* field, otherwise it is encoded in the instruction dwords immediately following the current instruction. Padding is required for 16-bit and Float (double) sizes:
169.  
170. * If the chosen size is 'double' and the next instruction offset is not 8-byte aligned, an additional 4 bytes of padding will be encoded BEFORE the operand to ensure the operand has 8-byte alignment.
171. * If the chosen size is 16-bit, padding will be added AFTER the operand to ensure the PC has 4-byte alignment.
172.  
173. Example:
174.  
175. TRAP.BYTE =0x2 // Trigger an E_NOMEM fault
176.  
177. **Indexed addressing** addresses a location in memory by adding an 8-bit offset encoded as *imm* (for source) or *slot (for destination) to the value of rParam.
178.  
179. Example:
180.  
181. MOV.DWORD [rParam+0x4], rText // Copy the 32-bit DWORD from the memory address specified by rParam+0x4 to rText
182.  
183. **Complex addressing** (or more accurately, Based Memory Indirect Indexed Plus Displacement addressing) addresses a location in memory by first performing an indexed addressed load as described above to obtain an address, then adding the value of a base register to that address to get the target address.
184.  
185. Example:
186.  
187. MOV.BYTE [[rParam+0x8]+rHeap], [rParam+0xC] // Load the DWORD at rParam+0x8 and add rHeap to get the target address,
188. // then load the data at the target address and copy it to rParam+0xC.
189.  
190. This addressing mode allows register-relative addresses to be stored relative to rParam, allowing (for example) a 'heap' base address to be loaded into rHeap and pointers to data on the heap to be stored in the function-specific 'rParam' address.
191.  
192. Registers 1-6 may be used as base registers,
193.  
194. Instructions
195. ------------
196.  
197. General instruction format (LSB 0 numbering, names are provisional):
198.  
199. fedcba9876543210 fedcba9876543210
200. [ imm ][ slot ] I[B]D[S][opcode]
201.  
202. imm: Immediate value, see 'Source/Destination Encoding'
203. slot: ? (used by setdst)
204. I: 'Immediate' flag, see 'Source/Destination Encoding'
205. B: 'Base' field, see 'Source/Destination Encoding'
206. D: 'inDexed' field, see 'Source/Destination Encoding'
207. S: 'Size' field, see 'Source/Destination Encoding'
208. opcode: Instruction opcode, see table.
209.  
210. Opcodes are as follows (names are provisional, descriptions/tags are incomplete):
211.  
212. 0x00 - HALT (P)
213. Trap VM with error code E_HALT
214. 0x01 - TRAP (S)
215. Trap VM with error code in *src*
216. 0x02 - WAIT (S)
217. ?
218. 0x03 - FINGER (SD)
219. ?
220. 0x04 - FINGER_RESET
221. Clear finger state?
222. 0x05 - ENHANCE (D)
223. ?
224. 0x06 - PUT16 (D)
225. Write 0x00000000 0x00000000 0x00000000 0x00000016 to *dst*?
226. 0x07 - ENHANCE_LOCK (P)
227. ENHANCE and store result in lock registers
228. 0x08 - SET_RING (S)
229. Set the RING bit to LSB of *src*. If moving from Ring 1 to Ring 0, VM will trap with E_PERM unless "ENHANCE *src*" == *lock*?
230. 0x09 - MOV (SD)
231. Move data from *src* to *dst*
232. 0x0A - COMPARE (S)
233. ?
234. 0x0B - B_*cond* (SU)
235. Jump to rCode + *src* if condition is true.
236. Format:
237.  
238. fedcba9876543210 fedcba9876543210
239. [ imm ][cond].. I[B]D[S][opcode]
240.  
241. cond - condition to check.
242. Conditions are as follows:
243. 0x0: ALWAYS
244. 0x1: ? (cmp bit 0x2 set)
245. 0x2: ? (cmp bit 0x80000000 set)
246. 0x3: ? (cmp bit 0x80000000 OR 0x2 set)
247. 0x4: ? (cmp bit 0x80000000 AND 0x2 clear)
248. 0x5: ? (cmp bit 0x80000000 clear)
249. 0x6: ? (cmp bit 0x2 clear)
250. 0x7: ? (cmp bit 0x1 set)
251. 0x8: ? (cmp bit 0x1 OR 0x2 set)
252. 0x9: ? (cmp bit 0x1 AND 0x2 clear)
253. 0xA: ? (cmp bit 0x1 clear)
254. All other conditions trap with E_INVALID.
255.  
256. 0x0C - *unsupported*
257. 0x0D - ADD (S) ???
258. todo: see 'addition'
259. 0x0E - SUB (S) ???
260. todo: see 'subtraction'
261. 0x0F - NOT (S) ???
262. todo: see 'bitNOT'
263. 0x10 - XOR (S) ???
264. todo: see 'bitXOR'
265. 0x11 - AND (S) ???
266. todo: see 'bitAND'
267. 0x12 - OR (S) ???
268. todo: see 'bitOR'
269. 0x13 - SHL ???
270. todo: see 'bitSHL'
271. 0x14 - SHRX ???
272. todo: see 'bitSHRX'
273. 0x15 - SHR ???
274. todo: see 'bitSHR'
275. 0x16 - SPINL ???
276. todo: see 'bitSpinL'
277. 0x17 - SPINR ???
278. todo: see 'bitSpinR'
279. 0x18 - SIGN_EXTEND (S) ???
280. todo: see 'signExtend'
281. 0x19 - NEGATE (S) ???
282. todo: see 'negate'
283. 0x1A - MULTIPLY (S) ???
284. todo: see 'multiplication'
285. 0x1B - DIVIDE (S) ???
286. todo: see 'division'
287. 0x1C - MODULO (S) ???
288. todo: see 'modulous'
289. 0x1D - DIVIDE_UNSIGNED (S) ???
290. todo: see 'divisionUnsigned'
291. 0x1E - MODULO_UNSIGNED (S) ???
292. todo: see 'modulousUnsigned'
293. 0x1F - VISIT (SU)
294. Add *adj* to rParam and call function at rCode + *src* (refer to **Call Stack**).
295. Format:
296.  
297. fedcba9876543210 fedcba9876543210
298. [ imm ][ adj ] I[B]D[S][opcode]
299.  
300. adj - value to add to rParam (will be multiplied by 4).
301.  
302. 0x20 - RET
303. Return to caller (refer to **Call Stack**).
304. 0x21 - *unsupported*
305. 0x22 - *unsupported*
306. 0x23 - CONV_INT32 (S)
307. Appears to be unimplemented (*src* is decoded but no operation is performed).
308. 0x24 - *unsupported*
309. 0x25 - *unsupported*
310. 0x26 - *unsupported*
311. 0x27 - *unsupported*
312. 0x28 - *unsupported*
313. 0x29 - GET_TIME (D)
314. Get current time as a floating point number (equiv. to javascript Date.now()). Requires floating-point destination.
315. 0x2A - CLOCK (D)
316. Get time since last call to CLOCK in seconds as an integer. Requires integer destination.
317.  
318. Notes: Some opcodes have labels, these labels are to be interpreted as follows
319. P - Protected Instruction (execution in Ring 1 will trap E_PERM)
320. S - Uses SRC field (see SRC notes)
321. D - Uses DST field (see DST notes)
322. U - Uses instruction-specific format
323.  
324. *unsupported* opcodes will trap with E\_NOSUPPORT. Unlisted opcodes will trap with E\_INVALID.
325.  
326. VM internal names:
327. cute = insn
328. op = PC
329. ring = current mode
330. cmp = flags (excluding ring)
331. v0, v1, v2, v3 = working registers?
332. f0 = floating point working register?
333. lock0, lock1, lock2, lock3 = 'Lock' registers for entering ring0?
334. delta = time of previous call to CLOCK